Lazarus Backdoor with IT Lure
Contents
Lazarus Backdoor with IT Lure
On January 27, 2025, @smica83 shared a sample on X indicating that it looked like Lazarus malware. I reviewed the sample and concluded that, indeed, it is a North Korean backdoor, likely the latest version of a backdoor publicly tracked as PEBBLEDASH.
The file shared by @smica83 is a portable executable named iconcache.tmp.pif
, with SHA2:d0a41dfe8f5b5c8ba6a5d0bdc3754543210ec2d36290564d9a774e9d22e3ad97
. Reviewing connected samples in VirusTotal, I could see 2 droppers leading to this executable:
Taking 6744ca5d49833c9b90aee0f3be39d28dec94579b028b05c647354ec5e1ab53e1
as a sample dropper, we can see it is a 64-bit portable executable with a PDF icon as a lure. The dropper is obfuscated and it drops and opens a decoy PDF named 2025년 01월 오라클 정기점검(서명완).pdf
, which translates to Oracle Scheduled Maintenance in January 2025 (Seo Myeong-wan)
. It also drops the executable shared by @smica83, iconcache.tmp.pif
, both under C:\ProgramData
.
The PDF seems to be a monthly inspection report from South Korean IT comany DBWorks, potentially for their client …
On January 27, 2025, @smica83 shared a sample on X indicating that it looked like Lazarus malware. I reviewed the sample and concluded that, indeed, it is a North Korean backdoor, likely the latest version of a backdoor publicly tracked as PEBBLEDASH.
The file shared by @smica83 is a portable executable named iconcache.tmp.pif
, with SHA2:d0a41dfe8f5b5c8ba6a5d0bdc3754543210ec2d36290564d9a774e9d22e3ad97
. Reviewing connected samples in VirusTotal, I could see 2 droppers leading to this executable:
Taking 6744ca5d49833c9b90aee0f3be39d28dec94579b028b05c647354ec5e1ab53e1
as a sample dropper, we can see it is a 64-bit portable executable with a PDF icon as a lure. The dropper is obfuscated and it drops and opens a decoy PDF named 2025년 01월 오라클 정기점검(서명완).pdf
, which translates to Oracle Scheduled Maintenance in January 2025 (Seo Myeong-wan)
. It also drops the executable shared by @smica83, iconcache.tmp.pif
, both under C:\ProgramData
.
The PDF seems to be a monthly inspection report from South Korean IT comany DBWorks, potentially for their client …
IoC
http://www.addfriend.kr/board/userfiles/temp/index.html
d0a41dfe8f5b5c8ba6a5d0bdc3754543210ec2d36290564d9a774e9d22e3ad97
6744ca5d49833c9b90aee0f3be39d28dec94579b028b05c647354ec5e1ab53e1
d0a41dfe8f5b5c8ba6a5d0bdc3754543210ec2d36290564d9a774e9d22e3ad97
6744ca5d49833c9b90aee0f3be39d28dec94579b028b05c647354ec5e1ab53e1